Invoking AM REST API using client credentials

This topic has 1 reply, 1 voice, and was last updated 1 month, 2 weeks ago by madhun.

  • Author
  • #28400

    My requirement is to be able to programmatically create/update a TrustedJWTIssuer agent and also to update an OAuth 2.0 client application with Client JWT Bearer Public Key.

    1) As part of my analysis, I have so far been able to do the following with ForgeRock 6.5.3.

    – Authenticate user (with password) using openam/json/realms/root/authenticate and get a session token
    – Pass the session token to openam/json/realm-config/agents/TrustedJwtIssuer/<id> to get a TrustedJwtIssuer by id (will try create/update once the following in #2 is resolved).

    2) I would like to be able to achieve the first step (of getting token) by authenticating using client credentials (and some appropriate scope). This is because the above needs to be done using an automated script.

    Just as an experiment, I got a token with the following command (used a random available scope).

    curl -i \
    –request POST \
    -H “Authorization: Basic <client-id:client-secret in base64>” \
    -H “Content-Type: application/x-www-form-urlencoded;charset=UTF-8” \
    -d “grant_type=client_credentials&scope=BillingAgent” \

    Using the obtained token and invoking openam/json/realm-config/agents/TrustedJwtIssuer/<id> resulted in the error “An error occurred whilst trying to use restricted token.”

    Is this because the TrustedJwtIssuer API is not supposed to work with client credentials or because of the wrong scope? Or is it something else I am missing altogether?


    Kinda stuck here, so appreciate any sort of pointers!

    I searched around the AM document quite a bit, but could not find any information on this. I did see the following in the 6.5 document that seems to indicate that it should be possible to operate on the OAuth 2.0 client data using a client credentials token (even if not possible to add/modify Trusted JWT Issuer that is outside the scope of the OAuth 2.0 client application – though this is also something I will eventually need to do).

    6.5 doc excerpt …

    “The Client Credentials grant is used when the client is also the resource owner and it is accessing its own data instead of acting in behalf of a user. For example, an application that needs access to a protected resource to retrieve its own data to perform a task, or update its configuration, would use the Client Credentials grant to acquire an access token.”


Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?